Buffer underrun vulnerability in Kernel.sprintf

There is a buffer underrun vulnerability in the sprintf method of Kernel module. If a malicious format string which contains a precious specifier is passed and a huge minus value is also passed to the specifier, buffer underrun may be caused. In such situation, the result may contains heap, or th...

Ruby: sprintf combined format string attack

In a ticket that was also reported to "shopify-scripts" regarding "MRuby", I reported in details a combined attack against the sprintf gem: Information leak Heap buffer underflow The full ticket details can be found in: Ticket 212239 The ticked was opened several minutes ago but I add it in case ...

shopify-scripts: sprintf gem - format string combined attack

In the sprintf gem, NOT included in mruby-engine, there are severe vulnerabilities, including information leak, and heap buffer overflow. Here are the technical details. Technical Error 1: ============== The CHECKl macro can sometimes receive negative values, that will bypass the size checks, sin...

shopify-scripts: segafult in mruby's sprintf - mrb_str_format

The mruby sprintf gem out of scope of mruby-engine can be crashed when using a hostile "width" value in the format string. Exploit Script =========== ruby s = "hello" sprintf"abcdefghijklmnopqrstuvwxyz % 2147483640s", s Here is the core dump: Core was generated by...

Unbreakable Enterprise kernel security update

kernel-uek 3.8.13-118.16.2 - net: avoid signed overflows for SOSND|RCVBUFFORCE Eric Dumazet Orabug: 25203623 CVE-2016-9793 3.8.13-118.16.1 - nvme: Limit command retries Ashok Vairavan Orabug: 25374794 - tcp: fix use after free in tcpxmitretransmitqueue Eric Dumazet Orabug: 25374371 CVE-2016-6828 ...

Ruby: Buffer underflow in sprintf

Hi, So I found this in mruby as part of the shopify-scripts program, and I notice that my patch also landed upstream in ruby as well. Shame on me for not checking ruby as well! Wondered if it counted for a bounty here as well? https://github.com/mruby/mruby/issues/3347 - issue that shopify guys...

shopify-scripts: Invalid memory access in `mrb_str_format`

Only affects mruby because mruby-engine doesn't have sprintf. I should have filed this last friday before I went to the pub, so missed out on higher bounties. Oh well! Crash file is: sprintf"%1$c", 0 Crash is: $ lldb ./bin/mruby ../crash.rb lldb target create "./bin/mruby" Current executable set ...

Debian DLA-513-1 : nspr security update

It was discovered that there was a buffer overflow in a sprintf utility within nspr, the NetScape Portable Runtime library. For Debian 7 'Wheezy', this issue has been fixed in nspr version 2:4.9.2-1+deb7u4. We recommend that you upgrade your nspr packages. NOTE: Tenable Network Security has...

DLA-513-1 nspr - security update

Bulletin has no description...

Advantech WebAccess datacore Service datacore.exe sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x7920 IOCTL in the Kernel subsystem. A stack-based buffer...

(0Day) Advantech WebAccess webvrpcs Service BwWebSvc.dll ProjectName sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x13C71 IOCTL in the BwOpcTool subsystem. A stack-based buff...

(0Day) Advantech WebAccess webvrpcs Service BwWebSvc.dll ProjectName/NodeName sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x13C7C IOCTL in the BwOpcTool subsystem. A stack-based buff...

Advantech WebAccess webvrpcs Service BwpAlarm.dll sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x1136A IOCTL in the BwpAlarm subsystem. A stack-based buffe...

Advantech WebAccess webvrpcs Service BwOpcSvc.dll WindowName sprintf Stack-Based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the 0x1389F IOCTL in the BwOpcTool subsystem. A stack-based buff...

PT-2015-4910 · Debian +3 · Yubiserver

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue is related to buffer overflows caused by the misuse of sprintf. No additional details are provided about the estimated number of potentially...

Easy2Map <= 1.24 - SQL Injection

The Function.php file uses sprintf to format queries being sent to the database, this doesn't provide proper sanitisation of user input or properly parameterises the query. PoC $ sqlmap -u 'http://www.example.com/wp-admin/admin-ajax.php' --data="mapID=11='+or+1%3D%3D1%3B=e2mimgsavemapname"...

Updated perl-DBD-Firebird packages fix CVE-2015-2788

Updated perl-DBD-Firebird packages fix security vulnerability: Stefan Roas discovered a way to cause a buffer overflow in DBD::FireBird in certain error conditions, due to the use of the sprintf function to write to a fixed-size memory buffer CVE-2015-2788...

Debian Security Advisory DSA 3219-1 (libdbd-firebird-perl - security update)

Stefan Roas discovered a way to cause a buffer overflow in DBD-FireBird, a Perl DBI driver for the Firebird RDBMS, in certain error conditions, due to the use of the sprintf function to write to a fixed-size memory buffer. OpenVAS Vulnerability Test $Id: deb3219.nasl 6609 2017-07-07 12:05:59Z...

Advantech WebAccess dvs.ocx GetColor Buffer Overflow

This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', 'Description' = %q This module exploits a buffer overflow vulnerability in...

VLC MMS Stream Handling Buffer Overflow

No description provided by source. This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use. http://metasploit.com/ require 'msf/core' class Metasploit3...